Hawai‘i state government webpages are unwittingly hosting advertisements for AI porn, a Mainland whistleblower has warned.
Over the past several weeks, unknown users have been discovered piggybacking off of government websites nationwide to improve web visibility for various links to illicit online products such as AI porn generators or video game hacks.
At least one of these pages was found on the Hawai‘i state government’s online web portal, Arizona resident Brian Penny, the person who discovered these web pages, told Aloha State Daily.
“What this is is an SEO scheme,” Penny said, referring to Search Engine Optimization, the practice of tailoring a product to appear among the first search results of an online search engine like Google. “[Government] domains get very high SEO rankings, that and .edu domains. And you can’t get a .gov domain unless you’re part of the government.”
Users have been exploiting services on government websites that allow users to upload documents and forms to the site, Penny said. Then, when someone searches for certain phrases — “Roblox cheats,” for example, or “AI porn app” — those forms, now with an SEO-friendly .gov in the URL, could appear at the top of the search.
Penny said he found several other state governments whose websites were hosting similar files, such as the Nevada Department of Transportation, and a California website for the Mojave Desert Air Quality Management District. Most official responses, he said, were quick to blame third-party software providers.
In many cases, the files were hosted via Granicus, a web platform that hosts records and files, and handles requests to access said files. In November, Granicus issued a statement assuring that they had not been hacked, and had subsequently patched the issue by blocking uploaded documents from being publicly searchable.
In Hawai‘i's case, the offending documents were posted through the state’s eHawaii.gov portal. Penny said third-party software provider Tyler Technologies handles user logins while the remainder of the eHawaii websites use Granicus systems.
While one illicit porn advertisement — promising “AI Porn tools and advanced photo alteration” that can “reveal or enhance images instantly” — was accessible on eHawaii.gov on Dec. 1, the page is no longer reachable. Searching for “AI porn” and “Hawaii.gov” at the same time still, at the time of publication, returned a link to that advertisement as the first result, but clicking the link only led to a “page not found” error message on the state website.
Penny said the advertisements contained clickable links which would, presumably, expose a user to malware and otherwise compromise a device’s security.
“I guess the question is, how safe do you feel?” Penny said. “At the end of the day, are you really cybersecure? What if China’s seeing these vulnerabilities?”
While it’s unclear whether this particular security exploit caused much harm beyond to a handful of internet users searching for AI porn apps, Penny guessed that a more malicious perpetrator could have used the exploit to infiltrate government websites directly.
Nobody from the Hawai‘i government responded to Penny’s attempts to warn them, Penny said. Nonetheless, he said he is continuing to alert state governments as these illicit web pages continue to crop up.
“This shouldn’t be my problem,” Penny laughed. “I’m somehow sitting as this single point of failure for all these systems. I’m just a pothead in Arizona.”
ASD requested comments from Tyler Technologies and Hawai‘i's Office of Enterprise Technology Services, which ASD also alerted about the issue.
